Journal on Communications ›› 2021, Vol. 42 ›› Issue (4): 127-138.doi: 10.11959/j.issn.1000-436x.2021046
• Papers • Previous Articles Next Articles
Bolin MA1, Zheng ZHANG1, Hao LIU2, Jiangxing WU1
Revised:
2021-01-28
Online:
2021-04-25
Published:
2021-04-01
Supported by:
CLC Number:
Bolin MA, Zheng ZHANG, Hao LIU, Jiangxing WU. SQLMVED: SQL injection runtime prevention system based on multi-variant execution[J]. Journal on Communications, 2021, 42(4): 127-138.
"
攻击类型 | 攻击目标 | 示例 |
重言式 | 1)、2) | SELECT account FROM users WHERE login = ’zhangsan’ or 1=1-- ’ AND pass=’1234’; |
批量查询 | 1)、2)、3) | SELECT account FROM users WHERE login = ’zhangsan’ AND pass=’ ’; drop table users -- ’; |
错误回显 | 2)、3)、4) | SELECT account FROM users WHERE login = ’zhangsan’ AND (SELECT 1 FROM (SELECT count(*),concat((SELECT account FROM users WHERE login = ’zhangsan’),floor(rand(0)*2))x FROM users group by x)a)-- ’ AND pass=’1234’; |
联合查询 | 1)、2) | SELECT account FROM users WHERE login = ’zhangsan’ UNION SELECT * FROM users WHERE login = ’zhangsan’ -- ’ AND pass=’1234’; |
存储过程 | 1)、2)、3) | CREATE PROCEDURE DBO.isAuthenticated |
@userName varchar2, @pass varchar2, @pin int AS | ||
EXEC(’’SELECT accounts FROM users WHERE login=’’’ +@userName+ ’’’ AND pass=’’’ +@password+ ’’’ AND pin=’’+@pin); GO | ||
盲注 | 2)、4) | 布尔盲注(bool blind injection) |
SELECT account FROM users WHERE login=’zhangsan’ AND SELECT length(database())>n-- ’ AND pass=’1234’; | ||
时间盲注(time blind injection) | ||
SELECT account FROM users WHERE login=’zhangsan’ AND if(length(database())>=8,sleep(5),1)-- ’ AND pass=’1234’; | ||
交替编码 | 5) | SELECT account FROM users WHERE login=’zhangsan’; exec(char(0x73687574646f776e)) -- AND pass=’’; |
"
应用程序 | 注入点 | LAMP架构 | SQLMVED架构 |
GET/Search | × | √ | |
POST/Select | × | √ | |
Login Form/Hero | × | √ | |
Drupal | × | × | |
Stored User-Agent | × | √ | |
Blind Time-Based | × | √ | |
GET/Select | × | √ | |
AJAX/JSON/jQuery | × | √ | |
bWAPP 2.2(Low) | Login Form/User | × | √ |
Stored Blog | × | √ | |
Stored XML | × | √ | |
Blind SQLite | × | × | |
POST/Search | × | √ | |
CAPTCHA | × | √ | |
SQLite | × | × | |
Stored SQLite | × | × | |
Blind Boolean-Based | × | √ | |
Blind Web Services/SOAP | × | √ | |
DVWA 1.9(Low) | sqli | × | √ |
sqli_blind | × | √ | |
Error Based- String(GET) | × | √ | |
Error Based- DoubleQuotes String(GET) | × | √ | |
Dump into Outfile(GET) | × | √ | |
Blind- Time based- Double Quotes- String(GET) | × | √ | |
Double Injection- String- with twist(POST) | × | √ | |
Blind- Time Based- Double quotes- String(POST) | × | √ | |
Header Injection- RefererError Based- string(POST) | × | √ | |
Error Based- Intiger(GET) | × | √ | |
Double Query- Single QuotesString(GET) | × | √ | |
SQLI-LABS (Less 1~ 20) | Blind- Boolian- Single QuotesString(GET) | × | √ |
Error Based- String(POST) | × | √ | |
Double Injection- Double quotes- String(POST) | × | √ | |
Update Query- Error based String(POST) | × | √ | |
Cookie Injection- Error Basedstring(POST) | × | √ | |
Error Based- String with Twist(GET) | × | √ | |
Double Query- Double QuotesString(GET) | × | √ | |
Blind- Time based- Single Quotes-String(GET) | × | √ | |
Error Based- Double quotesString(POST) | × | √ | |
Blind- Boolian BasedString(POST) | × | √ | |
Header Injection- Error Basedstring(POST) | × | √ |
[1] | BOYD S W , KEROMYTIS A D . SQLrand:preventing SQL injection attacks[C]// International Conference on Applied Cryptography and Network Security. Berlin:Springer, 2004: 292-302. |
[2] | 马博林, 张铮, 陈源 ,等. 基于指令集随机化的抗代码注入攻击方法[J]. 信息安全学报, 2020,5(4): 30-43. |
MA B L , ZHANG Z , CHEN Y ,et al. The defense method for code-injection attacks based on instruction set randomization[J]. Journal of Cyber Security, 2020,5(4): 30-43. | |
[3] | 方滨兴 . 定义网络空间安全[J]. 网络与信息安全学报, 2018,4(1): 1-5. |
FANG B X . Define cyberspace security[J]. Chinese Journal of Network and Information Security, 2018,4(1): 1-5. | |
[4] | SHAR L K , TAN H B K . Defeating SQL injection[J]. Computer, 2013,46(3): 69-77. |
[5] | MCCLURE R A , KRUGER I H . SQL DOM:compile time checking of dynamic SQL statements[C]// Proceedings of 27th International Conference on Software Engineering. Piscataway:IEEE Press, 2005: 88-96. |
[6] | COOK W R , RAI S . Safe query objects:statically typed objects as remotely executable queries[C]// Proceedings of 27th International Conference on Software Engineering. Piscataway:IEEE Press, 2005: 97-106. |
[7] | KIEYZUN A , GUO P J , JAYARAMAN K ,et al. Automatic creation of SQL Injection and cross-site scripting attacks[C]// 2009 IEEE 31st International Conference on Software Engineering. Piscataway:IEEE Press, 2009: 199-209. |
[8] | 孙歆, 姚一杨, 卢新岱 ,等. 基于HTTP代理的模糊测试技术研究[J]. 网络与信息安全学报, 2016,2(2): 75-86. |
SUN X , YAO Y Y , LU X D ,et al. Research and implementation of fuzzing testing based on HTTP proxy[J]. Chinese Journal of Network and Information Security, 2016,2(2): 75-86. | |
[9] | KAR D , PANIGRAHI S , SUNDARARAJAN S . SQLiGoT:detecting SQL injection attacks using graph of tokens and SVM[J]. Computers& Security, 2016,60: 206-225. |
[10] | 韩宸望, 林晖, 黄川 . 基于SQL语法树的SQL注入过滤方法研究[J]. 网络与信息安全学报, 2016,2(11): 70-77. |
HAN C W , LIN H , HUANG C . Research on the SQL injection filtering based on SQL syntax tree[J]. Chinese Journal of Network and Information Security, 2016,2(11): 70-77. | |
[11] | 赵宇飞, 熊刚, 贺龙涛 ,等. 面向网络环境的SQL注入行为检测方法[J]. 通信学报, 2016,37(2): 88-97. |
ZHAO Y F , XIONG G , HE L T ,et al. Approach to detecting SQL injection behaviors in network environment[J]. Journal on Communications, 2016,37(2): 88-97. | |
[12] | APPELT D , PANICHELLA A , BRIAND L . Automatically repairing web application firewalls based on successful SQL injection attacks[C]// 2017 IEEE 28th International Symposium on Software Reliability Engineering. Piscataway:IEEE Press, 2017: 339-350. |
[13] | 张慧琳, 丁羽, 张利华 ,等. 基于敏感字符的SQL注入攻击防御方法[J]. 计算机研究与发展, 2016,53(10): 2262-2276. |
ZHANG H L , DING Y , ZHANG L H ,et al. SQL injection prevention based on sensitive characters[J]. Journal of Computer Research and Development, 2016,53(10): 2262-2276. | |
[14] | NGUYEN-TUONG A , GUARNIERI S , GREENE D ,et al. Automatically hardening Web applications using precise tainting[C]// IFIP International Information Security Conference. Berlin:Springer, 2005: 295-307. |
[15] | PIETRASZEK T , BERGHE C V . Defending against injection attacks through context-sensitive string evaluation[C]// International Conference on Recent Advances in Intrusion Detection. Berlin:Springer, 2005: 124-145. |
[16] | HALFOND W G J , ORSO A . AMNESIA:analysis and monitoring for NEutralizing SQL-injection attacks[C]// Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering. New York:ACM Press, 2005: 174-183. |
[17] | 何成万, 叶志鹏 . 基于AOP和动态污点分析的SQL注入行为检测方法[J]. 电子学报, 2019,47(11): 2413-2419. |
HE C W , YE Z P . SQL injection behavior detection method based on AOP and dynamic taint analysis[J]. Acta Electronica Sinica, 2019,47(11): 2413-2419. | |
[18] | HRANICKY R , ZOBAL L , RY?AVY O . Distributed password cracking with BOINC and hashcat[J]. Digital Investigation, 2019,30: 161-172. |
[19] | KNOWLTON K C . A combination hardware-software debugging system[J]. IEEE Transactions on Computers, 1968,100(1): 84-86. |
[20] | COX B , EVANS D , FILIPI A ,et al. N-Variant systems:a secretless framework for security through diversity[C]// Proceedings of the 15th conference on USENIX Security Symposium. New York:ACM Press, 2006: 105-120. |
[21] | BERGER E D , ZORN B G . DieHard:probabilistic memory safety for unsafe languages[C]// ACM SIGPLAN Conference on Programming Language Design & Implementation. New York:ACM Press, 2006: 158-168. |
[22] | NOVARK G , BERGER E D . DieHarder:securing the heap[C]// Proceedings of the 17th ACM Conference on Computer and Communications Security. New York:ACM Press, 2010: 1-12. |
[23] | NOVARK G , BERGER E D , ZORN B G . Exterminator:automatically correcting memory errors with high probability[J]. ACM SIGPLAN Notices, 2007,42(6): 1-11. |
[24] | 邬江兴 . 网络空间拟态防御研究[J]. 信息安全学报, 2016,1(4): 1-10. |
WU J X . Research on cyber mimic defense[J]. Journal of Cyber Security, 2016,1(4): 1-10. | |
[25] | WU J X . Cyberspace mimic defense[M]. Cham: Springer International Publishing, 2020. |
[26] | 张铮, 马博林, 邬江兴 . web服务器拟态防御原理验证系统测试与分析[J]. 信息安全学报, 2017,2(1): 13-28. |
ZHANG Z , MA B L , WU J X . The test and analysis of prototype of mimic defense in web servers[J]. Journal of Cyber Security, 2017,2(1): 13-28. | |
[27] | 马博林, 张铮, 刘健雄 . 应用于动态异构 web 服务器的相似度求解方法[J]. 计算机工程与设计, 2018,39(1): 282-287. |
MA B L , ZHANG Z , LIU J X . Similarity calculation method applied to dynamic heterogeneous web server system[J]. Computer Engineering and Design, 2018,39(1): 282-287. | |
[28] | 唐海娜, 林小拉, 韩春静 . 基于移动指针的数据流冗余消除算法[J]. 通信学报, 2012,33(2): 7-14. |
TANG H N , LIN X L , HAN C J . Duplicate elimination algorithm for data streams with SKIP Bloom filter[J]. Journal on Communications, 2012,33(2): 7-14. |
[1] | Fucai CHEN,Weizhen HE,Guozhen CHENG,Shumin HUO,Dacheng ZHOU. Design of key technologies for intranet dynamic gateway based on DPDK [J]. Journal on Communications, 2020, 41(6): 139-151. |
[2] | Duohe MA,Qiong LI,Dongdai LIN. Moving target defense against network eavesdropping attack using POF [J]. Journal on Communications, 2018, 39(2): 73-87. |
[3] | Ming-hua WANG,Ling-yun YING,Deng-guo FENG. Exploit detection based on illegal control flow transfers identification [J]. Journal on Communications, 2014, 35(9): 20-31. |
[4] | . Linear randomization with lowest information leakage for physical layer secure transmission [J]. Journal on Communications, 2013, 34(7): 5-48. |
[5] | Qiao-long LI,Liang JIN. Linear randomization with lowest information leakage for physical layer secure transmission [J]. Journal on Communications, 2013, 34(7): 42-48. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|